CN116070382A - Risk prediction method and device for network, processor and electronic equipment - Google Patents
Risk prediction method and device for network, processor and electronic equipment Download PDFInfo
- Publication number
- CN116070382A CN116070382A CN202211734945.7A CN202211734945A CN116070382A CN 116070382 A CN116070382 A CN 116070382A CN 202211734945 A CN202211734945 A CN 202211734945A CN 116070382 A CN116070382 A CN 116070382A
- Authority
- CN
- China
- Prior art keywords
- network
- directed graph
- value corresponding
- risk
- network directed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F30/00—Computer-aided design [CAD]
- G06F30/10—Geometric CAD
- G06F30/18—Network design, e.g. design based on topological or interconnect aspects of utility systems, piping, heating ventilation air conditioning [HVAC] or cabling
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F30/00—Computer-aided design [CAD]
- G06F30/20—Design optimisation, verification or simulation
- G06F30/27—Design optimisation, verification or simulation using machine learning, e.g. artificial intelligence, neural networks, support vector machines [SVM] or training a model
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2119/00—Details relating to the type or aim of the analysis or the optimisation
- G06F2119/02—Reliability analysis or reliability optimisation; Failure analysis, e.g. worst case scenario performance, failure mode and effects analysis [FMEA]
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Geometry (AREA)
- Evolutionary Computation (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Computer Networks & Wireless Communication (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a risk prediction method and device for a network, a processor and electronic equipment. The method comprises the following steps: acquiring a network directed graph, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, and each edge is used for representing the access relation among a plurality of devices in the target network; acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph into a graph neural network, and outputting a risk value corresponding to each device in a target network; and predicting the security risk of the target network according to the risk value corresponding to each device in the target network. By the method and the device, the problem of low accuracy of predicting whether the network has safety risks in the related technology is solved.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and apparatus for predicting risk of a network, a processor, and an electronic device.
Background
At present, safety protection devices are more and more, massive safety events are generated daily, but most data can be false alarm and noise data, so that information needing to be focused by a user is submerged, and the user cannot take an alarm of a daily safety protection system, know from what, and understand how to dispose; moreover, after a security event occurs, it affects the equipment, how large the impact surface is, how serious the consequences are, and the attacker may attack which assets; aiming at how to protect the follow-up of the same kind of safety event, the method avoids in advance. This series of problems results in less accurate predictions of whether the network is at risk for security.
Aiming at the problem of low accuracy of predicting whether a network has security risks in the related technology, no effective solution is proposed at present.
Disclosure of Invention
The main objective of the present application is to provide a method and apparatus for predicting risk of a network, a processor and an electronic device, so as to solve the problem of low accuracy of predicting whether a security risk exists in a network in a related technology.
To achieve the above object, according to one aspect of the present application, there is provided a risk prediction method for a network. The method comprises the following steps: obtaining a network directed graph, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, each edge is used for representing access relations among a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction; acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph to a graph neural network, and outputting a risk value corresponding to each device in the target network; and predicting the security risk of the target network according to the risk value corresponding to each device in the target network.
Further, according to the risk value corresponding to each device in the target network, performing security risk prediction on the target network includes: judging whether risk values corresponding to all devices in the target network are preset values or not; if the risk value corresponding to each device in the target network is the preset value, determining that the target network has no security risk; and if the risk value corresponding to each device in the target network is not the preset value, determining that the target network has safety risk.
Further, obtaining the network directed graph includes: acquiring a plurality of devices in the target network; determining access relationships among a plurality of devices in the target network; and determining the network directed graph according to the access relation between the plurality of devices in the target network and the plurality of devices in the target network.
Further, before acquiring the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph, and the weight value corresponding to each edge in the network directed graph, the method further includes: obtaining vulnerability information of each device in the network directed graph; determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the vulnerability information of each device in the network directed graph; if the vulnerability among the plurality of devices in the network directed graph is associated and utilized, calculating an initial weight value corresponding to each side in the network directed graph according to the vulnerability association and utilization degree among the plurality of devices in the network directed graph.
Further, the obtaining the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph, and the weight value corresponding to each edge in the network directed graph includes: converting the network directed graph to obtain a risk matrix corresponding to the network directed graph; according to vulnerability information of each device in the network directed graph, calculating to obtain a weight value corresponding to each node in the network directed graph; determining the influence degree of the target equipment in the network directed graph on other equipment in the network directed graph after the safety event occurs, wherein the safety event occurring in the target equipment in the network directed graph indicates that the target equipment is attacked; and adjusting the initial weight value corresponding to each side in the network directed graph according to the influence degree of the target device in the network directed graph on other devices in the network directed graph after the security event occurs, so as to obtain the weight value corresponding to each side in the network directed graph.
Further, determining whether there is an association utilization of vulnerabilities between a plurality of devices in the network directed graph according to vulnerability information of each device in the network directed graph includes: acquiring a network security knowledge graph; and determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the network security knowledge graph and the vulnerability information of each device in the network directed graph.
Further, obtaining the network security knowledge graph includes: acquiring a plurality of attack methods possibly used by an attack network, availability among the plurality of attack methods and consequences generated by adopting each attack method; and determining the network security knowledge graph according to a plurality of attack methods possibly used by the attack network, availability among the plurality of attack methods and results generated by adopting each attack method.
In order to achieve the above object, according to another aspect of the present application, there is provided a risk prediction apparatus for a network. The device comprises: the first acquisition unit is used for acquiring a network directed graph, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, each edge is used for representing the access relation among a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction; the second acquisition unit is used for acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; the first processing unit is used for inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph into a graph neural network, and outputting a risk value corresponding to each device in the target network; the first prediction unit is used for predicting the security risk of the target network according to the risk value corresponding to each device in the target network.
Further, the first prediction unit includes: the first judging module is used for judging whether the risk value corresponding to each device in the target network is a preset value or not; the first determining module is used for determining that the target network has no security risk if the risk value corresponding to each device in the target network is the preset value; and the second determining module is used for determining that the target network has safety risk if the risk value corresponding to each device in the target network is not the preset value.
Further, the first acquisition unit includes: the first acquisition module is used for acquiring a plurality of devices in the target network; a third determining module, configured to determine an access relationship between a plurality of devices in the target network; and a fourth determining module, configured to determine the network directed graph according to access relationships between the plurality of devices in the target network and the plurality of devices in the target network.
Further, the apparatus further comprises: the third obtaining unit is used for obtaining vulnerability information of each device in the network directed graph before obtaining a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; the first determining unit is used for determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation mode according to the vulnerability information of each device in the network directed graph; the first calculating unit is used for calculating an initial weight value corresponding to each side of the network directed graph according to the association utilization degree of the vulnerability among the plurality of devices in the network directed graph if the association utilization exists among the vulnerability among the plurality of devices in the network directed graph.
Further, the second acquisition unit includes: the first processing module is used for converting the network directed graph to obtain a risk matrix corresponding to the network directed graph; the first calculation module is used for calculating a weight value corresponding to each node in the network directed graph according to the vulnerability information of each device in the network directed graph; a fifth determining module, configured to determine an influence degree of the target device in the network directed graph on other devices in the network directed graph after a security event occurs in the target device, where the occurrence of the security event in the target device in the network directed graph indicates that the target device is attacked; the first adjusting module is used for adjusting the initial weight value corresponding to each side in the network directed graph according to the influence degree of the target device in the network directed graph on other devices in the network directed graph after the security event occurs, so as to obtain the weight value corresponding to each side in the network directed graph.
Further, the first determination unit includes: the second acquisition module is used for acquiring a network security knowledge graph; and a sixth determining module, configured to determine whether the vulnerability between the multiple devices in the network directed graph is used in association according to the network security knowledge graph and the vulnerability information of each device in the network directed graph.
Further, the second acquisition module includes: the first acquisition submodule is used for acquiring a plurality of attack devices possibly used by an attack network, availability among the plurality of attack devices and consequences generated by adopting each attack device; and the first determining submodule is used for determining the network security knowledge graph according to a plurality of attack devices possibly used by an attack network, availability among the plurality of attack devices and results generated by adopting each attack device.
To achieve the above object, according to another aspect of the present application, there is provided a processor for executing a program, wherein the program executes the risk prediction method of the network according to any one of the above.
To achieve the above object, according to another aspect of the present application, there is provided an electronic device including one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the risk prediction method of the network of any of the above.
Through the application, the following steps are adopted: acquiring a network directed graph, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, each edge is used for representing access relations among a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction; acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph into a graph neural network, and outputting a risk value corresponding to each device in a target network; according to the risk value corresponding to each device in the target network, the target network is subjected to security risk prediction, and the problem that whether the network is predicted to have security risk in the related technology is low in accuracy is solved. The method comprises the steps of constructing a network directed graph through a target network to be subjected to security risk prediction, obtaining a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph, inputting the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph and the weight value corresponding to each side in the network directed graph into a graph neural network, outputting a risk value corresponding to each device in the target network, and performing security risk prediction on the target network according to the risk value corresponding to each device in the target network, so that the effect of improving the accuracy of predicting whether the network has security risks or not is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application, illustrate and explain the application and are not to be construed as limiting the application. In the drawings:
FIG. 1 is a flow chart of a risk prediction method for a network provided according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a network security knowledge graph constructed in an embodiment of the present application;
FIG. 3 is a flow chart of an alternative network risk prediction method provided in accordance with an embodiment of the present application;
FIG. 4 is a schematic diagram of a risk prediction apparatus for a network provided according to an embodiment of the present application;
fig. 5 is a schematic diagram of an electronic device provided according to an embodiment of the present application.
Detailed Description
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe the embodiments of the present application described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, related information (including, but not limited to, user equipment information, user personal information, etc.) and data (including, but not limited to, data for presentation, analyzed data, etc.) related to the present disclosure are information and data authorized by a user or sufficiently authorized by each party. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.
For convenience of description, the following will describe some terms or terms related to the embodiments of the present application:
directed graph: representing the relationship between items.
Graph neural network: the graph neural network (Graph Neural Network, GNN) refers to an algorithm overview for learning graph structure data by using the neural network, extracting and exploring features and modes in the graph structure data, and meeting the requirements of graph learning tasks such as clustering, classifying, predicting, segmenting and generating.
The present invention will be described with reference to preferred implementation steps, and fig. 1 is a flowchart of a risk prediction method for a network according to an embodiment of the present application, as shown in fig. 1, where the method includes the following steps:
step S101, a network directed graph is obtained, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, each edge is used for representing access relations among a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction.
For example, a network directed graph corresponding to a network to be subjected to security risk prediction may be constructed according to access relationships among a plurality of devices in the network.
Step S102, a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph are obtained.
For example, the constructed network directed graph is converted into a risk matrix, and a weight value corresponding to each node in the network directed graph and a weight value corresponding to each edge in the network directed graph are obtained.
Step S103, a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph are input to the graph neural network, and a risk value corresponding to each device in the target network is output.
For example, the risk matrix after conversion, the weight value corresponding to each node in the network directed graph, and the weight value corresponding to each edge in the network directed graph may be input to the graph neural network, and then the risk value corresponding to each device in the network to be subjected to security risk prediction may be obtained.
Step S104, according to the risk value corresponding to each device in the target network, carrying out security risk prediction on the target network.
For example, according to the risk value corresponding to each device in the network to be subjected to the security risk prediction output by the graph neural network, whether the network has security risk is predicted.
Through the steps S101 to S104, a network directed graph is constructed through the target network to be subjected to security risk prediction, a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph are obtained, then the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph and the weight value corresponding to each side in the network directed graph are input into the graph neural network, a risk value corresponding to each device in the target network is output, security risk prediction is performed on the target network according to the risk value corresponding to each device in the target network, and therefore the effect of improving the accuracy of predicting whether the network has security risks is achieved.
In order to quickly and accurately determine the network security knowledge graph, in the risk prediction method of the network provided by the embodiment of the application, the network security knowledge graph can be determined through the following steps: acquiring a plurality of attack methods possibly used by an attack network, availability among the plurality of attack methods and consequences generated by adopting each attack method; and determining a network security knowledge graph according to a plurality of attack methods possibly used by the attack network, availability among the plurality of attack methods and results generated by adopting each attack method.
For example, fig. 2 is a schematic diagram of a network security knowledge graph constructed in the embodiment of the present application, as shown in fig. 2, the network security attack knowledge graph may be constructed by accumulating and collecting professional knowledge of security experts, and according to attack types, attack methods are used as entities, and the mutual availability of attack methods is used as a relationship, so as to construct the knowledge graph; the preconditions of the attack method (such as vulnerabilities) produce impacts or threats as attributes of the entity. And the sequence in fig. 2 shows the consequences that may occur with the attack method, and explloit shows what vulnerability the attack method takes.
By the scheme, the network security knowledge graph can be quickly and accurately constructed.
In order to quickly and accurately determine the network directed graph, in the risk prediction method of the network provided by the embodiment of the application, the network directed graph may also be determined by the following steps: acquiring a plurality of devices in a target network; determining access relationships among a plurality of devices in a target network; and determining a network directed graph according to the access relationship between the plurality of devices in the target network and the plurality of devices in the target network.
For example, network device policies may be imported to build a user network topology, building a network directed graph. And the network directed graph represents access relationships between multiple devices in the network.
By the scheme, the network directed graph can be quickly and accurately constructed.
In order to quickly and accurately calculate an initial weight value corresponding to each edge in the network directed graph, in the risk prediction method of the network provided by the embodiment of the present application, the initial weight value corresponding to each edge in the network directed graph may also be calculated by: obtaining vulnerability information of each device in a network directed graph; determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the vulnerability information of each device in the network directed graph; if the vulnerability among the plurality of devices in the network directed graph is utilized in a correlation manner, calculating an initial weight value corresponding to each side in the network directed graph according to the degree of the vulnerability among the plurality of devices in the network directed graph.
For example, in conjunction with the vulnerability-oriented graph edge weight calculation, user asset vulnerability information may be prepared, and the asset vulnerability information is shown in table 1. Then, aiming at the condition of asset exposure, the vulnerability level of the asset, the vulnerability level is calculated by using the difficulty level and the influence result, threat values of the vulnerability are input into a constructed network directed graph, the threat values are used as weight values of node edges, the greater the weight values are, the higher the threat values are, and the calculation formula is as follows:
TABLE 1
By the scheme, the initial weight value corresponding to each edge in the network directed graph can be calculated rapidly and accurately.
In order to quickly and accurately obtain a risk matrix corresponding to a network directed graph, a weight value corresponding to each node in the network directed graph, and a weight value corresponding to each edge in the network directed graph, in the risk prediction method of a network provided in the embodiment of the present application, the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph, and the weight value corresponding to each edge in the network directed graph may be further obtained by: converting the network directed graph to obtain a risk matrix corresponding to the network directed graph; according to vulnerability information of each device in the network directed graph, calculating to obtain a weight value corresponding to each node in the network directed graph; determining the influence degree of the target equipment in the network directed graph on other equipment in the network directed graph after the security event occurs, wherein the occurrence of the security event by the target equipment in the network directed graph indicates that the target equipment is attacked; and adjusting the initial weight value corresponding to each side in the network directed graph according to the influence degree of the target device in the network directed graph on other devices in the network directed graph after the security event occurs, so as to obtain the weight value corresponding to each side in the network directed graph.
For example, the network directed graph may be converted into a risk matrix, and then a weight value corresponding to each node in the network directed graph is calculated according to the vulnerability information, and then an initial weight value corresponding to each edge in the network directed graph is adjusted to obtain a weight value corresponding to each edge in the network directed graph.
Moreover, when the initial weight value corresponding to each edge in the network directed graph is adjusted, the situation that vulnerability association utilization exists among nodes and security event risks among the nodes are mutually influenced can be considered. And calculating whether all nodes reachable to each node in the graph are associated with and utilized by the node according to the asset vulnerability and the constructed network security knowledge graph, and adjusting the edge weights of the two nodes to be used as attention coefficients among the nodes.
By the scheme, the weight value corresponding to each side in the network directed graph can be quickly and accurately adjusted, so that the accuracy of the weight value corresponding to each side in the network directed graph is improved.
In order to quickly and accurately determine whether the vulnerability between the plurality of devices in the network directed graph is utilized in an association manner, in the risk prediction method of the network provided by the embodiment of the application, whether the vulnerability between the plurality of devices in the network directed graph is utilized in an association manner may be determined by the following steps: acquiring a network security knowledge graph; and determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the network security knowledge graph and the vulnerability information of each device in the network directed graph.
For example, it may be calculated from the asset vulnerabilities and the constructed network security knowledge graph whether there is an attack vulnerability association utilization with all nodes reachable by the entity.
By the scheme, whether the vulnerability among the plurality of devices in the network directed graph is utilized in a correlation manner can be rapidly and accurately determined.
In order to rapidly and accurately predict the security risk of the target network, in the risk prediction method of the network provided by the embodiment of the application, the security risk of the target network can be predicted by the following steps: judging whether the risk value corresponding to each device in the target network is a preset value or not; if the risk value corresponding to each device in the target network is a preset value, determining that the target network has no safety risk; if the risk value corresponding to each device in the target network is not the preset value, determining that the target network has safety risk.
For example, the preset value may be zero. That is, if the risk value of each device in the network is zero, it indicates that there is no security risk in the network, and if there is a case where the risk value of the device in the network is not zero, it indicates that there is a security risk in the network.
By the scheme, whether the network has security risk can be rapidly and accurately determined.
For example, fig. 3 is a flowchart of an alternative network risk prediction method provided according to an embodiment of the present application, and as shown in fig. 3, the alternative network risk prediction method includes the following steps:
step 1: constructing a network security knowledge graph:
accumulating and collecting professional knowledge of security specialists, constructing a network security attack knowledge graph, and constructing the knowledge graph according to the attack type, the attack method as an entity and the mutual availability of the attack methods as a relation; the preconditions of the attack method (such as vulnerabilities) produce impacts or threats as attributes of the entity.
Step 2: constructing a network directed graph:
and importing network equipment strategies to construct a user network topology and a network directed graph.
Step 3: and (5) calculating the directed graph edge weight in combination with the vulnerability:
and (3) preparing user asset vulnerability information, aiming at asset exposure conditions, calculating threat values of vulnerability by using the vulnerability degree and the influence result, inputting the threat values into the directed graph constructed in the step (2), and taking the threat values as weight values of node edges, wherein the threat values are higher as the weight values are larger.
Step 4: edge weight adjustment:
the situation that vulnerability association utilization exists among the nodes and security event risks occur among the nodes and influence each other is considered. And (3) calculating whether all nodes reachable to each node in the graph are associated with attack vulnerability according to the asset vulnerability and the network security knowledge graph prepared in the step (1), and adjusting the edge weights of the two nodes to be used as attention coefficients among the nodes.
Step 5: building a network diagram embedding model:
and taking a plurality of network attribute matrixes corresponding to the nodes as input, performing a series of decoding and encoding operations on each network attribute matrix, and adding a hidden layer for integrating original features in an encoding stage and a hidden layer for decomposing embedded features in a decoding stage in order to extract topological structure information of an opportunity network, so as to finally obtain an embedded matrix formed by node attribute embedded vectors as output of the model.
Node threat attribute matrix:
R=(r1,r2,…,rn)
an encoder encoding section:
wherein f is an activation function, Q is a weight matrix, c is a bias matrix, l is the total number of layers of the encoder, y i For the attribute matrix converted by the encoder, r1, r2, …, rn is the node threat attribute value.
Output matrix:
S=(s1,s2,…,sn)
wherein s1, s2, …, sn is the node attribute embedding vector.
Step 6: performing risk assessment ranking by using the GNN graph neural network:
taking a feature matrix formed by the attribute embedded vectors generated in the step 5 as the input of a node risk assessment model, and a risk degree sequence RV= { RV formed by node risk values 1 ,RV 2 ,RV 3 ,…,RV n As an output of the model.
Considering that vulnerability association utilization exists between nodes and the risk between the nodes is mutually influenced, performing convolution operation on adjacent nodes by using an association relation between the nodes to obtain attention factors between the nodes by introducing attention coefficients between the nodes generated in the step 4 and normalizing the attention coefficients between the nodes and the neighbors thereof by a softmax function, and finally performing weighted summation on dynamic attribute embedded vectors of the nodes by using the attention factors to obtain a new node dynamic attribute embedded matrix fused with domain information:
S‘={s′ 1 ,s′ 2 ,s′ 3 ,…,s′ n }
taking the dynamic embedded vector as input of an output layer, performing dimension reduction conversion on the updated node dynamic embedded vector to obtain an asset risk emergency degree sequence consisting of network node risk values:
RV={RV 1 ,RV 2 ,RV 3 ,…,RV n }
By the method provided by the embodiment of the application, for example, the influence evaluation on the intranet after the user LAN suffers from network attack is carried out, and the specific method is as follows:
1. data preparation phase
(1) And collecting intranet network configuration information, importing the configuration information of routers and switches, and establishing a network topology directed graph.
(2) All vulnerability information of the network environment assets is prepared and standardized.
(3) And (3) inputting vulnerability information and security events, and adjusting weight values through formula calculation in the step (3) and the step (4).
(4) The graph embeds the output attribute vector matrix.
2. Application phase
(1) And outputting a network node risk assessment result matrix through the graph neural network, and ranking according to the risk.
(2) The higher the asset risk value, the greater the risk of attack.
Therefore, constructing a directed graph according to the network topology, introducing asset vulnerability, and calculating threat values as edge weights of the directed graph by utilizing information such as vulnerability difficulty level, vulnerability hazard level and the like; the side weight in the directed graph can be recalculated and adjusted by utilizing the available relevance among the vulnerabilities and the risk influence of the adjacent nodes after the safety event occurs to the asset; the self-coding graph embedding technology is utilized, the client network topology information is combined, the node threat attribute information is output, and an attribute matrix containing the topology relation is output; and calculating the weight of the mutual influence relation by using the directed graph nodes as an attention coefficient, constructing a graph neural network, and carrying out weighted aggregation on the attribute embedded vectors of the nodes according to the relation among the nodes, so that the fusion calculation risk value of the neighborhood information among the nodes can be realized.
In summary, in the risk prediction method for a network provided by the embodiment of the present application, a network directed graph is obtained, where the network directed graph at least includes a plurality of nodes and a plurality of edges, each node is used to represent each device in a target network, each edge is used to represent an access relationship between a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction; acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph into a graph neural network, and outputting a risk value corresponding to each device in a target network; according to the risk value corresponding to each device in the target network, the target network is subjected to security risk prediction, and the problem that whether the network is predicted to have security risk in the related technology is low in accuracy is solved. The method comprises the steps of constructing a network directed graph through a target network to be subjected to security risk prediction, obtaining a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph, inputting the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph and the weight value corresponding to each side in the network directed graph into a graph neural network, outputting a risk value corresponding to each device in the target network, and performing security risk prediction on the target network according to the risk value corresponding to each device in the target network, so that the effect of improving the accuracy of predicting whether the network has security risks or not is achieved.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the application also provides a risk prediction device of the network, and the risk prediction device of the network of the embodiment of the application can be used for executing the risk prediction method for the network. The following describes a risk prediction device of a network provided in an embodiment of the present application.
Fig. 4 is a schematic diagram of a risk prediction apparatus of a network according to an embodiment of the present application. As shown in fig. 4, the apparatus includes: a first acquisition unit 401, a second acquisition unit 402, a first processing unit 403, and a first prediction unit 404.
Specifically, the first obtaining unit 401 is configured to obtain a network directed graph, where the network directed graph at least includes a plurality of nodes and a plurality of edges, each node is configured to represent each device in a target network, each edge is configured to represent an access relationship between a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction;
A second obtaining unit 402, configured to obtain a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph, and a weight value corresponding to each edge in the network directed graph;
the first processing unit 403 is configured to input a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph, and a weight value corresponding to each edge in the network directed graph to the graph neural network, and output a risk value corresponding to each device in the target network;
the first prediction unit 404 is configured to perform security risk prediction on the target network according to the risk value corresponding to each device in the target network.
In summary, in the risk prediction apparatus for a network provided in the embodiments of the present application, a first obtaining unit 401 is configured to obtain a network directed graph, where the network directed graph includes at least a plurality of nodes and a plurality of edges, each node is configured to represent each device in a target network, each edge is configured to represent an access relationship between a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction; the second obtaining unit 402 obtains a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph, and a weight value corresponding to each edge in the network directed graph; the first processing unit 403 inputs the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph, and the weight value corresponding to each edge in the network directed graph to the graph neural network, and outputs the risk value corresponding to each device in the target network; the first prediction unit 404 predicts the security risk of the target network according to the risk value corresponding to each device in the target network, so as to solve the problem of low accuracy of predicting whether the security risk exists in the network in the related technology. The method comprises the steps of constructing a network directed graph through a target network to be subjected to security risk prediction, obtaining a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph, inputting the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph and the weight value corresponding to each side in the network directed graph into a graph neural network, outputting a risk value corresponding to each device in the target network, and performing security risk prediction on the target network according to the risk value corresponding to each device in the target network, so that the effect of improving the accuracy of predicting whether the network has security risks or not is achieved.
Optionally, in the risk prediction apparatus for a network provided in the embodiment of the present application, the first prediction unit includes: the first judging module is used for judging whether the risk value corresponding to each device in the target network is a preset value or not; the first determining module is used for determining that the target network has no security risk if the risk value corresponding to each device in the target network is a preset value; and the second determining module is used for determining that the target network has safety risk if the risk value corresponding to each device in the target network is not the preset value.
Optionally, in the risk prediction apparatus for a network provided in the embodiment of the present application, the first obtaining unit includes: the first acquisition module is used for acquiring a plurality of devices in the target network; a third determining module, configured to determine an access relationship between a plurality of devices in a target network; and the fourth determining module is used for determining the network directed graph according to the access relation between the plurality of devices in the target network and the plurality of devices in the target network.
Optionally, in the risk prediction apparatus for a network provided in the embodiment of the present application, the apparatus further includes: the third obtaining unit is used for obtaining vulnerability information of each device in the network directed graph before obtaining a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; the first determining unit is used for determining whether the vulnerability among the plurality of devices in the network directed graph is utilized in a correlation mode according to the vulnerability information of each device in the network directed graph; the first calculating unit is used for calculating an initial weight value corresponding to each side of the network directed graph according to the association utilization degree of the vulnerability among the plurality of devices in the network directed graph if the association utilization exists among the vulnerability among the plurality of devices in the network directed graph.
Optionally, in the risk prediction apparatus for a network provided in the embodiment of the present application, the second obtaining unit includes: the first processing module is used for converting the network directed graph to obtain a risk matrix corresponding to the network directed graph; the first calculation module is used for calculating a weight value corresponding to each node in the network directed graph according to vulnerability information of each device in the network directed graph; a fifth determining module, configured to determine an influence degree of the target device in the network directed graph on other devices in the network directed graph after a security event occurs, where the occurrence of the security event by the target device in the network directed graph indicates that the target device is under attack; the first adjusting module is used for adjusting the initial weight value corresponding to each side in the network directed graph according to the influence degree of the target device in the network directed graph on other devices in the network directed graph after the security event occurs, so as to obtain the weight value corresponding to each side in the network directed graph.
Optionally, in the risk prediction apparatus for a network provided in the embodiment of the present application, the first determining unit includes: the second acquisition module is used for acquiring a network security knowledge graph; and the sixth determining module is used for determining whether the vulnerability among the plurality of devices in the network directed graph is utilized in a correlation mode according to the network security knowledge graph and the vulnerability information of each device in the network directed graph.
Optionally, in the risk prediction apparatus for a network provided in the embodiment of the present application, the second obtaining module includes: the first acquisition submodule is used for acquiring various attack devices possibly used by the attack network, availability among the various attack devices and consequences generated by adopting each attack device; the first determining submodule is used for determining a network security knowledge graph according to various attack devices possibly used by an attack network, availability among the various attack devices and results generated by adopting each attack device.
The risk prediction device of the network includes a processor and a memory, where the first acquiring unit 401, the second acquiring unit 402, the first processing unit 403, the first predicting unit 404, and the like are stored as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor includes a kernel, and the kernel fetches the corresponding program unit from the memory. The kernel can be provided with one or more than one kernel, and the accuracy of predicting whether the network has security risks is improved by adjusting kernel parameters.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
An embodiment of the present invention provides a computer-readable storage medium having stored thereon a program that, when executed by a processor, implements a risk prediction method for the network.
The embodiment of the invention provides a processor which is used for running a program, wherein the program runs to execute a risk prediction method of a network.
As shown in fig. 5, an embodiment of the present invention provides an electronic device, where the device includes a processor, a memory, and a program stored in the memory and executable on the processor, and when the processor executes the program, the following steps are implemented: obtaining a network directed graph, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, each edge is used for representing access relations among a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction; acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph to a graph neural network, and outputting a risk value corresponding to each device in the target network; and predicting the security risk of the target network according to the risk value corresponding to each device in the target network.
The processor also realizes the following steps when executing the program: according to the risk value corresponding to each device in the target network, performing security risk prediction on the target network includes: judging whether risk values corresponding to all devices in the target network are preset values or not; if the risk value corresponding to each device in the target network is the preset value, determining that the target network has no security risk; and if the risk value corresponding to each device in the target network is not the preset value, determining that the target network has safety risk.
The processor also realizes the following steps when executing the program: the acquiring the network directed graph comprises the following steps: acquiring a plurality of devices in the target network; determining access relationships among a plurality of devices in the target network; and determining the network directed graph according to the access relation between the plurality of devices in the target network and the plurality of devices in the target network.
The processor also realizes the following steps when executing the program: before the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph and the weight value corresponding to each edge in the network directed graph are obtained, the method further comprises: obtaining vulnerability information of each device in the network directed graph; determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the vulnerability information of each device in the network directed graph; if the vulnerability among the plurality of devices in the network directed graph is associated and utilized, calculating an initial weight value corresponding to each side in the network directed graph according to the vulnerability association and utilization degree among the plurality of devices in the network directed graph.
The processor also realizes the following steps when executing the program: the steps of obtaining a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each edge in the network directed graph include: converting the network directed graph to obtain a risk matrix corresponding to the network directed graph; according to vulnerability information of each device in the network directed graph, calculating to obtain a weight value corresponding to each node in the network directed graph; determining the influence degree of the target equipment in the network directed graph on other equipment in the network directed graph after the safety event occurs, wherein the safety event occurring in the target equipment in the network directed graph indicates that the target equipment is attacked; and adjusting the initial weight value corresponding to each side in the network directed graph according to the influence degree of the target device in the network directed graph on other devices in the network directed graph after the security event occurs, so as to obtain the weight value corresponding to each side in the network directed graph.
The processor also realizes the following steps when executing the program: determining whether the vulnerability between a plurality of devices in the network directed graph is utilized according to the vulnerability information of each device in the network directed graph comprises the following steps: acquiring a network security knowledge graph; and determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the network security knowledge graph and the vulnerability information of each device in the network directed graph.
The processor also realizes the following steps when executing the program: the obtaining of the network security knowledge graph comprises the following steps: acquiring a plurality of attack methods possibly used by an attack network, availability among the plurality of attack methods and consequences generated by adopting each attack method; and determining the network security knowledge graph according to a plurality of attack methods possibly used by the attack network, availability among the plurality of attack methods and results generated by adopting each attack method.
The device herein may be a server, PC, PAD, cell phone, etc.
The present application also provides a computer program product adapted to perform, when executed on a data processing device, a program initialized with the method steps of: obtaining a network directed graph, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, each edge is used for representing access relations among a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction; acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph; inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph to a graph neural network, and outputting a risk value corresponding to each device in the target network; and predicting the security risk of the target network according to the risk value corresponding to each device in the target network.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: according to the risk value corresponding to each device in the target network, performing security risk prediction on the target network includes: judging whether risk values corresponding to all devices in the target network are preset values or not; if the risk value corresponding to each device in the target network is the preset value, determining that the target network has no security risk; and if the risk value corresponding to each device in the target network is not the preset value, determining that the target network has safety risk.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: the acquiring the network directed graph comprises the following steps: acquiring a plurality of devices in the target network; determining access relationships among a plurality of devices in the target network; and determining the network directed graph according to the access relation between the plurality of devices in the target network and the plurality of devices in the target network.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: before the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph and the weight value corresponding to each edge in the network directed graph are obtained, the method further comprises: obtaining vulnerability information of each device in the network directed graph; determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the vulnerability information of each device in the network directed graph; if the vulnerability among the plurality of devices in the network directed graph is associated and utilized, calculating an initial weight value corresponding to each side in the network directed graph according to the vulnerability association and utilization degree among the plurality of devices in the network directed graph.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: the steps of obtaining a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each edge in the network directed graph include: converting the network directed graph to obtain a risk matrix corresponding to the network directed graph; according to vulnerability information of each device in the network directed graph, calculating to obtain a weight value corresponding to each node in the network directed graph; determining the influence degree of the target equipment in the network directed graph on other equipment in the network directed graph after the safety event occurs, wherein the safety event occurring in the target equipment in the network directed graph indicates that the target equipment is attacked; and adjusting the initial weight value corresponding to each side in the network directed graph according to the influence degree of the target device in the network directed graph on other devices in the network directed graph after the security event occurs, so as to obtain the weight value corresponding to each side in the network directed graph.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: determining whether the vulnerability between a plurality of devices in the network directed graph is utilized according to the vulnerability information of each device in the network directed graph comprises the following steps: acquiring a network security knowledge graph; and determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the network security knowledge graph and the vulnerability information of each device in the network directed graph.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: the obtaining of the network security knowledge graph comprises the following steps: acquiring a plurality of attack methods possibly used by an attack network, availability among the plurality of attack methods and consequences generated by adopting each attack method; and determining the network security knowledge graph according to a plurality of attack methods possibly used by the attack network, availability among the plurality of attack methods and results generated by adopting each attack method.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (10)
1. A method for risk prediction in a network, comprising:
obtaining a network directed graph, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, each edge is used for representing access relations among a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction;
Acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph;
inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph to a graph neural network, and outputting a risk value corresponding to each device in the target network;
and predicting the security risk of the target network according to the risk value corresponding to each device in the target network.
2. The method of claim 1, wherein predicting the security risk for the target network based on the risk value corresponding to each device in the target network comprises:
judging whether risk values corresponding to all devices in the target network are preset values or not;
if the risk value corresponding to each device in the target network is the preset value, determining that the target network has no security risk;
and if the risk value corresponding to each device in the target network is not the preset value, determining that the target network has safety risk.
3. The method of claim 1, wherein obtaining a network directed graph comprises:
acquiring a plurality of devices in the target network;
determining access relationships among a plurality of devices in the target network;
and determining the network directed graph according to the access relation between the plurality of devices in the target network and the plurality of devices in the target network.
4. The method of claim 1, wherein prior to obtaining the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph, and the weight value corresponding to each edge in the network directed graph, the method further comprises:
obtaining vulnerability information of each device in the network directed graph;
determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the vulnerability information of each device in the network directed graph;
if the vulnerability among the plurality of devices in the network directed graph is associated and utilized, calculating an initial weight value corresponding to each side in the network directed graph according to the vulnerability association and utilization degree among the plurality of devices in the network directed graph.
5. The method of claim 4, wherein obtaining the risk matrix corresponding to the network directed graph, the weight value corresponding to each node in the network directed graph, and the weight value corresponding to each edge in the network directed graph comprises:
converting the network directed graph to obtain a risk matrix corresponding to the network directed graph;
according to vulnerability information of each device in the network directed graph, calculating to obtain a weight value corresponding to each node in the network directed graph;
determining the influence degree of the target equipment in the network directed graph on other equipment in the network directed graph after the safety event occurs, wherein the safety event occurring in the target equipment in the network directed graph indicates that the target equipment is attacked;
and adjusting the initial weight value corresponding to each side in the network directed graph according to the influence degree of the target device in the network directed graph on other devices in the network directed graph after the security event occurs, so as to obtain the weight value corresponding to each side in the network directed graph.
6. The method of claim 4, wherein determining whether there is an association utilization of vulnerabilities between a plurality of devices in the network directed graph based on vulnerability information of each device in the network directed graph comprises:
Acquiring a network security knowledge graph;
and determining whether the vulnerability among a plurality of devices in the network directed graph is utilized in a correlation manner according to the network security knowledge graph and the vulnerability information of each device in the network directed graph.
7. The method of claim 6, wherein obtaining a network security knowledge-graph comprises:
acquiring a plurality of attack methods possibly used by an attack network, availability among the plurality of attack methods and consequences generated by adopting each attack method;
and determining the network security knowledge graph according to a plurality of attack methods possibly used by the attack network, availability among the plurality of attack methods and results generated by adopting each attack method.
8. A risk prediction apparatus for a network, comprising:
the first acquisition unit is used for acquiring a network directed graph, wherein the network directed graph at least comprises a plurality of nodes and a plurality of edges, each node is used for representing each device in a target network, each edge is used for representing the access relation among a plurality of devices in the target network, and the target network is a network to be subjected to security risk prediction;
The second acquisition unit is used for acquiring a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph;
the first processing unit is used for inputting a risk matrix corresponding to the network directed graph, a weight value corresponding to each node in the network directed graph and a weight value corresponding to each side in the network directed graph into a graph neural network, and outputting a risk value corresponding to each device in the target network;
the first prediction unit is used for predicting the security risk of the target network according to the risk value corresponding to each device in the target network.
9. A processor, characterized in that the processor is configured to run a program, wherein the program when run performs the risk prediction method of the network according to any of claims 1 to 7.
10. An electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the risk prediction method of the network of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211734945.7A CN116070382A (en) | 2022-12-30 | 2022-12-30 | Risk prediction method and device for network, processor and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211734945.7A CN116070382A (en) | 2022-12-30 | 2022-12-30 | Risk prediction method and device for network, processor and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116070382A true CN116070382A (en) | 2023-05-05 |
Family
ID=86174244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211734945.7A Pending CN116070382A (en) | 2022-12-30 | 2022-12-30 | Risk prediction method and device for network, processor and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116070382A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116962080A (en) * | 2023-09-19 | 2023-10-27 | 中孚信息股份有限公司 | Alarm filtering method, system and medium based on network node risk assessment |
-
2022
- 2022-12-30 CN CN202211734945.7A patent/CN116070382A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116962080A (en) * | 2023-09-19 | 2023-10-27 | 中孚信息股份有限公司 | Alarm filtering method, system and medium based on network node risk assessment |
| CN116962080B (en) * | 2023-09-19 | 2023-12-15 | 中孚信息股份有限公司 | Alarm filtering method, system and medium based on network node risk assessment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112702342B (en) | Network event processing method and device, electronic equipment and readable storage medium | |
| Mandal et al. | Cloud-CoCoSo: Cloud model-based combined compromised solution model for trusted cloud service provider selection | |
| WO2022193469A1 (en) | System and method for ai model watermarking | |
| CN116070382A (en) | Risk prediction method and device for network, processor and electronic equipment | |
| CN115659408A (en) | Method, system and storage medium for sharing sensitive data of power system | |
| CN116542520A (en) | Vulnerability processing method and device, storage medium and electronic equipment | |
| Awad et al. | Addressing imbalanced classes problem of intrusion detection system using weighted extreme learning machine | |
| CN111275106A (en) | Countermeasure sample generation method and device and computer equipment | |
| CN112926090B (en) | Business analysis method and device based on differential privacy | |
| CN116051118B (en) | Analysis method and device of behavior time sequence model | |
| JP6618875B2 (en) | Evaluation apparatus, evaluation method, and evaluation program | |
| US20210326332A1 (en) | Temporal directed cycle detection and pruning in transaction graphs | |
| Kester et al. | Crime predictive model in cybercrime based on social and economic factors using the Bayesian and Markov theories | |
| Prabha et al. | A novel cyber-attack leads prediction system using cascaded R2CNN model | |
| Roese-Koerner et al. | A constrained quadratic programming technique for data-adaptive design of decorrelation filters | |
| Lin et al. | Privacy‐Enhanced Data Fusion for Federated Learning Empowered Internet of Things | |
| Luskatov et al. | Model for Identifying Cyber Threats to Internet Information Resources | |
| Kanagaraj et al. | Differential Privacy Techniques-Based Information Security for Cyber Physical System Applications: An Overview | |
| Singh et al. | A Study of Implementing a Blockchain-Based Forensic Model Integration (BBFMI) for IoT Devices in Digital Forensics | |
| Samani et al. | Risk-based modelling for managing privacy protection | |
| Sheeja et al. | Spatial-Based Big Data and Large-Scale Network Management | |
| CN110390354B (en) | Prediction method and device for defense capability of deep network | |
| CN114676456A (en) | Data privacy protection method and device based on edge calculation and storage medium | |
| CN116668045A (en) | Multi-dimensional network security comprehensive early warning method and system | |
| Ramu et al. | Hough Transform based Deep Belief Network and Improved Homomorphic Encryption for Cloud Security based Intrusion Discovery |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |